Applying risk management principles to information security is typically a challenge, but this is largely due to incorrect perceptions by the business, said News International CISO Amar Singh.

Download this free guide

The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

“The minute you mention risk management, most business people think of having to fill in a risk register in the form of a spreadsheet, which most people dislike,” Amar Singh told Computer Weekly.

Singh is on a mission to move beyond this perception by introducing risk management “by stealth” in his organisation.

“Communication is my main modus operandi, my weapon of choice,” he said.

By talking to every business manager about risk in every context of the business, not just IT, he offers expertise and support for whatever form of risk management they want to adopt.

“Picking up the admin involved provides an opportunity to introduce the concept of a risk management framework, which makes managing risk part of business as usual,” said Singh.

He believes this is much more effective than kicking off a big project to adopt a risk management framework across an organisation.

Singh also believes it is important to encourage people to think about opportunities as well as risks, such as the opportunity to introduce secure software development processes to mitigate application risk.

By enabling everyone to contribute to identifying risks and opportunities, he has been able to get much better engagement from people in the business.

“The minute anyone mentions the opportunity angle, the uptake increases because people feel they have a stake in what they are doing rather than just identifying problems,” said Singh.

While it is necessary to have a risk management policy and process guide in place to provide the necessary framework, that should not be the starting point, he said.

According to Singh, one of the most obvious benefits of a risk-based approach to security is that making a business case for investments at budget time is much easier.

It is difficult to get budget for “addressing software security,” but relatively easy to get budget for technology that reduces or eliminates the risk of a £2m fine for poor software security practices, he said.

“A risk-based approach enables IT security professionals to articulate the need for investment or other action in terms that the business is better able to understand,” said Singh.

Information technology underpins just about everything people do in business today, he said, which also provides an opportunity to engage with everyone across an organisation and get buy-in.

Support from the top is also vital.

“If you have a mandate from the CEO, you will have the ear of everyone below, and they will be far more likely to be willing to act based on risk."

Another key component is to develop key performance indicators, as Singh is doing at News International.

“This is very useful in justifying big projects and demonstrating how security can make a difference to the bottom line while keeping technology out it,” he said.

The ultimate goal should be managing risk, not just putting risk in a spreadsheet. “There must be a proper framework in place to address risk fully,” he said.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy